Lucene search
K

4 matches found

Vulnrichment
Vulnrichment
added 2026/04/09 9:22 p.m.4 views

CVE-2026-40148 PraisonAI Affected by Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the safeextractall function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractal...

6.5CVSS5.8AI score0.00243EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/09 9:22 p.m.25 views

CVE-2026-40148 PraisonAI Affected by Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the safeextractall function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractal...

6.5CVSS0.00243EPSS
Exploits1References1
OSV
OSV
added 2026/04/09 9:22 p.m.2 views

CVE-2026-40148 PraisonAI Affected by Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the safeextractall function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractal...

6.5CVSS6AI score0.00243EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.6 views

PT-2026-30765

Summary PraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains ../ traversal entries and any user who later pulls that...

7.3CVSS6.1AI score0.00291EPSS
Exploits1References5
Rows per page
Query Builder